China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists

Cybersecurity researchers have disclosed a broad China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO. Journalists and civil society activists are also being targeted in parallel phishing campaigns.

The SHADOW-EARTH-053 Campaign

Trend Micro attributed the government-targeting activity to a threat cluster tracked as SHADOW-EARTH-053, active since at least December 2024. The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers as initial access vectors.

Attack Techniques

Once inside target networks, the group:

Deploys Godzilla web shells for persistent backdoor access
Stages ShadowPad implants via DLL sideloading of legitimate signed executables
Moves laterally using living-off-the-land techniques to avoid detection
Conducts long-term intelligence collection against government and defense targets

Targeting Journalists and Activists

The Citizen Lab flagged parallel phishing campaigns by two distinct China-affiliated threat actors specifically targeting journalists and civil society:

GLITTER CARP targeted the International Consortium of Investigative Journalists (ICIJ) with sophisticated phishing infrastructure, first detected in April 2025.

SEQUIN CARP focused on ICIJ journalist Scilla Alecci and other international journalists covering China-related stories.

Targets also include Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists — communities that have historically been subject to Chinese state surveillance.

Significance

The simultaneous targeting of governments, NATO allies, investigative journalists, and diaspora activists reflects the comprehensive nature of Chinese state intelligence gathering. This is not a narrowly focused operation but a broad campaign designed to collect strategic intelligence, identify dissidents, and monitor geopolitical adversaries across multiple fronts simultaneously.

Organizations in the targeted sectors should immediately audit their internet-facing Exchange and IIS infrastructure for signs of compromise.